@Configuration
public class WebSecurityConfig
    extends WebSecurityConfigurerAdapter {
    private final JWTFilter jwtFilter;
    // ...
    @Override
    protected void configure(HttpSecurity http)
        throws Exception {
        http.csrf().disable()
            .addFilterBefore(/* ... */)
            .cors()
            .and()
            .authorizeRequests()
            .antMatchers("/auth/**").permitAll()
            .antMatchers(HttpMethod.GET, "**/*.html").permitAll()
            .anyRequest().authenticated()
            // ...
    }
}
